A Case Study in Dealing with Ransomware

A particularly insidious type of malware is ransomware, which is secretly installed on your PC and locks the system down. That lockdown is inevitably accompanied by a message demanding payment if the PC’s owner ever wants to access his or her files again. Unless you are very lucky (or the hacker spectacularly incompetent), everything important on your hard drive will be effectively lost to you, unless you pay up.

Although earlier versions of ransomware sometimes had flawed encryption, recent iterations are better designed. Although you could pay the ransom, that’s not a guarantee that things will work out, as Kansas Heart Hospital in Wichita discovered when hackers demanded a second ransom after locking down files.

I recently had an unpleasant encounter with ransomware. Here’s what happened:

The Case

The victim: a small taxi firm in East London with 12 networked PCs (six in a central office, with another six in small satellite offices located near the railway or London Underground stations). The system could take customer bookings via a custom-written Booking and Dispatch program.

I’d performed some programming work for this company on a standalone PC at their central office. One of the managers asked if I’d take a look at their main dispatch-server software. It wouldn’t start after a reboot, it seemed.

I had a background in writing mobile software that communicates with server software, so I knew enough to troubleshoot. The server software ran on a desktop PC, with network shares to the other machines; a MySQL database held all the data. The software automatically dispatched jobs to drivers, allowing a PC’s operator to amend/cancel or rebook jobs. In addition to failing to start, the system reported a missing txt file.

All the company’s PCs ran Windows XP, except for one on Windows 7. Employees answered email using two of those PCs. After it became clear that we had a malware problem, our best guess was that it had penetrated the network via an email attachment. (Just to note, though, that hackers occasionally use TeamViewer and other screen-sharing software to break into systems.)

The Malware

We initially identified the culprit as Cerber ransomware, specifically a newer variant that resisted efforts by utility programs such as SpyHunter to remove it. I also checked the registry settings as described by Malwarebytes, hoping to isolate the exact nature of the threat, but had no luck. Cerber has a nasty habit of deleting key files in its wake in order to confound attempts to stop it.

The company decided to restart the software and see how things went. While the server was down, though, the firm had to write down new taxi orders on little slips of paper. It was chaos.

Each infected folder contained three files: # Decrypt My Files.html, .vbs and .txt. The ransomware encrypted any file on the target extension list, giving it a random filename with the .cerber extension.

The malware infected four PCs at the central office and two at satellite offices; the other six weren’t touched. The damage to these infected PCs was remarkably light: the log files (.log) were all encrypted, as well as one config file (.txt) that the server used for mapping East London into booking zones. After replacing that file, the server was able to run. The only loss was the log files.

The Demand

The #Decrypt My Files.html contained a message asking for 1.2 Bitcoins (about $500) to recover the PC, including details on how to pay. No ransom was paid. The Taxi firm’s Managing Director already had a plan to replace all PCs in a few months, as most were six to eight years old. That plan was accelerated, and all 12 PCs were replaced one week after the initial infection.

I returned a week later to help replace the PCs and to my surprise discovered that no further infections had occurred since the first one. It’s my belief that the malware just ran once from one PC and managed to infect five others. But it wasn’t permanent, and didn’t reload after a reboot, so the malware was gone.

A recent article in SC Magazine seemed to confirm that a variant of Cerber only resides in RAM. Meanwhile, another article suggested that Cerber variants use PowerShell to change their signature, but I can’t be sure of that, as the taxi firm’s PCs didn’t have PowerShell installed.

Protecting Yourself

Large companies often have disaster plans in place that include ransomware infections. But what should individuals or small businesses do when confronted with this issue? Crossing your fingers is probably not the best option.

Frequent offsite backups are the obvious first step, although the automation comes with a downside: if your files are maliciously encrypted, the encrypted files might accidentally get backed up, as well. If you take this route, make sure that the backup vendor offers a 30-day recovery period or versioning, so you can get your backed-up files intact.

For individuals, even something as simple as copying files to an external memory stick or drive is better than nothing. If you take this route, keep your USB storage unplugged from your machines when not copying to it.

As email attachments are a prime source of infections, having an email scanner is probably the best way to eliminate that particular vector of attack.

Conclusion

I’ve been thinking about using email clients and Web-browsing only from within VirtualBox, which might keep any ransomware nasties that evade detection from doing much damage. But if you don’t want to consider paying a ransom (and there’s no reason why you should), then the best solution for malware is preparation: back up your files early and often.

And if you’re involved in a business, take the time to educate staff about the dangers of opening email attachments, even if they know the sender.